ML Security PapersInvoluntary In-Context Learning: Exploiting Few-Shot Pattern Completion to Bypass Safety Alignment in GPT-5.4
Alex Polyakov , Daniel Kuznetsov
Published on arXiv
2604.19461
Prompt Injection
OWASP LLM Top 10 — LLM01
Key Finding
Achieves 24.0% bypass rate [18.6%, 30.4%] on HarmBench against GPT-5.4 with 619-word detailed responses; semantic operator naming achieves 100% bypass (50/50, p < 0.001)
IICL
Novel technique introduced
Safety alignment in large language models relies on behavioral training that can be overridden when sufficiently strong in-context patterns compete with learned refusal behaviors. We introduce Involuntary In-Context Learning (IICL), an attack class that uses abstract operator framing with few-shot examples to force pattern completion that overrides safety training. Through 3479 probes across 10 OpenAI models, we identify the attack's effective components through a seven-experiment ablation study. Key findings: (1)~semantic operator naming achieves 100\,\% bypass rate (50/50, $p < 0.001$); (2)~the attack requires abstract framing, since identical examples in direct question-and-answer format yield 0\,\%; (3)~example ordering matters strongly (interleaved: 76\,\%, harmful-first: 6\,\%); (4)~temperature has no meaningful effect (46--56\,\% across 0.0--1.0). On the HarmBench benchmark, IICL achieves 24.0\,\% bypass $[18.6\%, 30.4\%]$ against GPT-5.4 with detailed 619-word responses, compared to 0.0\,\% for direct queries.
Key Contributions
- Introduces Involuntary In-Context Learning (IICL) attack class using abstract operator framing to override safety training
- Seven-experiment ablation study across 3479 probes identifying semantic operator naming (100% bypass) and example ordering as critical factors
- Achieves 24.0% bypass rate on HarmBench against GPT-5.4 with detailed responses versus 0.0% for direct queries